Azure users unable to log in when integrated with Data Center SSO 2.0

Still need help?

The Atlassian Community is here for you.

Ask the community


Platform Notice: Data Center Only - This article only applies to Atlassian products on the data center platform.

Summary

After integrating Data Center with Azure via the Data Center SSO 2.0 plugin, Azure users receive a generic "We can't log you in right now" error message when trying to log into Confluence. 

Environment

  • Azure Active Directory
  • Data Center SSO 2.0 plugin

Diagnosis

For a given user encountering this situation while logging in, the following error appears in the application logs:

2021-12-22 19:01:27,386 ERROR [http-nio-8080-exec-5] [impl.web.filter.ErrorHandlingFilter] logException [UUID: 79a91343-3bf8-4cfb-a562-022612ebe316] Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
 -- referer: https://login.microsoftonline.com/ | url: /plugins/servlet/samlconsumer | traceId: e905ee736246ea42 | userName: anonymous
com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.JitException: Attribute [http://schemas.microsoft.com/ws/2008/06/identity/claims/groups] could not be found
	at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapGroups(SamlUserDataFromIdpMapper.java:56)
	at com.atlassian.plugins.authentication.impl.web.usercontext.impl.jit.mapping.SamlUserDataFromIdpMapper.mapUser(SamlUserDataFromIdpMapper.java:28)
	at com.atlassian.plugins.authentication.impl.web.saml.SamlConsumerServlet.doPost(SamlConsumerServlet.java:105)

Investigate the SAML attributes being sent to Confluence by using a tool such as SAML Chrome Panel.  Normally, the SAML reply will contain the following attribute along with a list of groups:

<Attribute Name=\"http://schemas.microsoft.com/ws/2008/06/identity/claims/groups\"><AttributeValue>

Instead of this particular attribute, however, you note that the following attribute is present for the user:

<Attribute Name=\"http://schemas.microsoft.com/claims/groups.link\"><AttributeValue>

Cause

Based on Microsoft's SAML token claims reference, the groups.link attribute is a Group Overage Indicator indicating that the number of groups associated with the user exceeded a limit of 150.   As a result, this scenario has been documented in SAMLDC-97: JIT does not work with Azure AD SSO for users with more than 150 groups.


Solution

As a possible workaround, consider adding the user ID to an application only group and reconfiguring each user's group claim to application access only (ie. User.Groups[ApplicationGroup]).  Also, ensure that this  group has appropriate global permissions within the Atlassian application.


Last modified on Jan 11, 2022

Was this helpful?

Yes
No
Provide feedback about this article
Powered by Confluence and Scroll Viewport.